Tag Archives: iPhone

Manuela Arcuri

Monica Belluci and Security

Trends –  security and movie stars, Manuela Arcuri and  Monica Bellucci, Verisign and Mcafee.

Information security and  risk analysis is complex stuff, with multiple dimensions  of people, software, performance, management, technology, assets, threats, vulnerabilities and control relationships.  This is why it’s hard to sell security to organizations. But, information security is also a lot like fashion with cyclical hype and theater: today – , HIPAA, iOS and Android security,  yesterday – Sarbanes-Oxley, federated identity management, data loss protection and application security firewalls.

Back in 2007,  I thought we might a return to the Age of Reason, where rational risk management replaces blind compliance check lists – I thought that this could happen  for 2 reasons:

  1. Compliance projects  can have good business value, if you focus on improving the product and it’s delivery.
  2.  Security is like fashion – both are cyclical industries, the wheel can also turn around in the right direction.

HIPAA compliance is a minimum but not sufficient requirement for product and process improvement.

Healthcare companies and medical device vendors that do HIPAA compliance projects, may be paying a steep price for HIPAA compliance without necessarily getting a return on their investment by improving the core features and functionality of their products and service offerings.

Compliance driving improvements in products and services is good for business, not just a mantra from Mcafee.

It could happen, but then again, maybe not. Look at the trends. Taking a sample of articles published in 2011 on the  eSecurityPlanet Web site we see that  mobile devices and cloud services lead the list, followed by IT security with healthcare closing the top 15. I guess cost-effective compliance is a lot less interesting than Android security.

  1. iOS vs. Android Security: And the Winner Is?
  2. 5  iOS 5 Enterprise Security Considerations – You can’t keep Apple out of the enterprise anymore so it’s best to figure out the most secure way to embrace it, writes Dan Croft of Mission Critical Wireless.
  3. PlayBook Tops in Tablet Security – Recent price reductions may mean more Blackberry Playbook tablets entering your organization, but that may not be such a bad thing for IT security teams.
  4. Android Security Becoming an Issue – As the Android mobile platform gains market share, it also garners a lot of interest from cyber crooks as well as IT security vendors.
  5. Which Browser is the Most Secure? – The ‘most hostile’ one, say researchers at Accuvant Labs.
  6. How to Prevent Employees from Stealing Your Intellectual Property -It’s the employee with the sticky hands that is the easiest and cheapest to thwart.
  7. Security Spend Outpacing the Rest of IT – High profile breaches and mobile devices are driving IT security spending.
  8. Public Cloud Keys Too Easy to Find -If you put the keys to your cloud infrastructure in plain sight, don’t be surprised if you get hacked.
  9. Zeus (Still) Wants Your Wallet – The antivirus community has failed to figure out this able and persistent piece of malware. It’s as simple as that.
  10. Spear Phishing Quickly Coming of Age – Even the security giants are not immune from this sophisticated and growing form of attack, writes Jovi Bepinosa Umawing of GFI Software.
  11. Penetration Testing Shows Unlikely Vulnerabilities – Enterprises need to dig deeper than just automated scanning to find the really interesting and dangerous cyber security flaws.
  12. Bank Fraud Still Costing Plenty – Bank fraud is and will continue to be an expensive problem.
  13. Do IT Security Tools Really Make You Safer? – Yet another suite of tools for IT security folks to administer and manage can actually have the opposite effect.
  14. Siege Warfare in the Cyber Age – In one the unlikeliest turn of events brought about by technology, it looks like Middle Ages’ siege warfare may be making a comeback, writes Gunter Ollmann of Damballa.
  15. Healthcare Breaches Getting Costlier – And it’s not just dollars and cents that are on the line – reputations are on the line, writes Geoff Webb of Credant Technologies.
Tell your friends and colleagues about us. Thanks!
Share this

3GPP Long Term Evolution – new threats or not?

3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute.

The question is, what will be the data security  impact of LTE deployments? As LTE is IP based and IPv6 becomes more common in the marketplace, will the security requirements of mobile devices become similar to traditional networked devices?  There is already a huge trend  for BYOD or Bring Your Own Device to work, which certainly causes a lot of headaches for information security staffs. Will more bandwidth and flat IP networks of LTE increase the threat surface for corporate IT?

Other than higher performance, LTE features a flat IP network, but I don’t see how that increases the threat surface in any particular way.  The security requirements for mobile networked devices are similar to traditional wired devices but the vulnerabilities are different, namely the potential of unmanaged BYOD tablet/smartphone to be an attack vector back into the enterprise network and to be a channel for data leakage.  The introduction of Facebook smart phones is far more interesting as a new vulnerability to corporate networks than smart phones with a 100MB download and 20MB upload afforded by LTE.

I am not optimistic about the capability of a company to manage employee owned mobile devices centrally and trying to rein in smartphones and tablets with awareness programs.  Instead of trying to do the impossible or the dubious, I submit that enterprise that are serious about mobile data security must take 3 basic steps after accepting that BYOD is a fact of life and security awareness has limited utility as a security countermeasure.

  1. Reorganize physical, phones and information security into a single group with one manager.  This group must handle all data, software IT, physical (facilities) and communications issues with a single threat model driven by the business and updated quarterly. There is no point in pretending that the only phones used by employees are phones installed and operated by the companies telecom and facilities group. That functionality went out the door 10 years ago.
  2. Develop a threat model for the business – this is  key to being able to keep up with rapidly growing threats posed by BYOD.  Update that model quarterly, not yearly.
  3. CEO must take an uncompromising stance on data leaks and ethical employee behavior. It should be part of the company’s objectives, measurable in monetary terms just like increasing sales by 10% etc.

 

Tell your friends and colleagues about us. Thanks!
Share this

Mobile device security challenges

It has been said that there is nothing new under the sun and that every generation forgets or never learned the hard-earned lessons from the spilled blood of the previous generation.

Reviewing the security and compliance issues  of a new mobile medical device recently, I was struck by how familiar many of the themes are.

What makes mobile devices special? Actually nothing.

Deploying line of business or life science applications on mobile Android tablets or an iPad has a different set of security requirements than backing up your address book. It requires thinking about the software security and privacy vulnerabilities in a systematic way and using a rigorous practical threat analysis methodology. As we will show in this short article, the key vulnerabilities of mobile devices are similar to traditional IT security vulnerabilities even if the threat surface is dramatically different.

However, a software security assessment of a life science software application deployed on a mobile device needs to look beyond the malware and spyware and data breach attacks on the device. Mobile Android tablets or iPads running electronic medical records applications are usually deployed in uncontrolled, complex and highly vulnerable environments such as enterprise IT networks in hospitals.  The software security issues are much more severe than those of a single tablet:   a combination of network vulnerabilities, application software vulnerabilities, malicious attackers superimposed on  the large, complex threat surface of an enterprise IT network.

The mobile medical device is now an attack vector into the hospital network, a far more valuable asset than the mobile device itself.

It seems that there are 5 key areas of vulnerability for  mobile devices, but not surprising, they all coincide with the classic IT network vulnerabilities:

Protocol coverage is lacking: Mobile  devices often rely on built-in  firewalls or enterprise network isolation. The protection that firewalls provide is only as good as the policy they are configured to implement and there are a whole slew of issues related to remote security policy management of untethered devices. I expect that analysis of network exploits on mobile devices with internal firewalls, will match analysis of real-world configuration data from corporate firewalls  that shows  rule sets that frequently violate well-established security guidelines (for example zone-spanning objects and lack of stealth rules). In addition, a stateful inspection firewall on a mobile device doesn’t perform deep content inspection on complete sessions and is therefore blind  to data theft attacks – for example piggy-back attacks  on text messaging in order to steal sensitive data.

Proxy-based access to control a device is convenient but may enable attackers to compromise a device and steal data – proxies end-point devices to obtain direct access to the Internet – research with clients show us that as much as 20 percent of all endpoints already bypass content filtering proxies on the enterprise IT network.

Visibility of network transactions is usually missing making incident response very difficult: Firewall and proxy logs are generally never analyzed, and often lag hours behind an event. An IPS often relies on anomaly detection. Anomaly detection relies on network flow data, which is often reported at intervals of 15 to 45 minutes. With that kind of lag, an entire network can be brought down. Because anomaly detection is looking for an anomalous event rather than an attack, it is frequently plagued by time-consuming false positives. A proxy on the other hand relies on URL filtering and simple keyword matching that analyzes the HTTP header and URL string. By looking at content and ignoring the network; a proxy can suffer from high rates of false negatives, missing attacks.

Multiple security and application layers increases cost of implementation and maintenance. Installation of multiple, disparate, proxy-based security products complicate network and end-point maintenance. Proxies require changes to the network infrastructure and in large networks may be impossible to install.  Updating mobile device application software to latest patch levels can be challenging to enforce and control and may result in injecting new software vulnerabilities into the device as there is probably not central IT administrator in charge of updating the mobile electronic medical records application running on 300 Android tablets in the hospital.

Redundant, multiple network security elements increase risk in the overall solution: This is additional risk that manifests itself as a result of the interaction between  mobile devices accessing cloud services via  a complex system of cache servers, SSL accelerators, Load balancers, Reverse proxy servers, transparent proxies, IDS/IPS and Web Application Firewalls. Consider that endpoints can bypass SSL proxies by specifying a gateway IP address and transparent proxies on a Windows network are no assurance for unauthenticated user agents bypassing the entire proxy infrastructure. HTTP-Aware firewalls such as Web application firewalls can be completely or partially bypassed in some cases. Transparent proxies can be compromised by techniques of HTTP response splitting since they rely on fine-grained mechanisms of matching strings in HTTP headers.  This is why Mozilla is delaying their implementation of Web sockets which may not matter if you’re running Chrome OS.

It’s a new dawn but with old rules.

Tell your friends and colleagues about us. Thanks!
Share this

The emotional content of security

I think in the security space, we spend too much time on the business justification and functional part of security (reducing risk, detection data breach violations, complying with HIPAA,  writing secure Web 2.0 applications, securing cloud services, security information management etc…).

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler” is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

  • They define their industry similarly, focusing on being the best.
  • They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
  • They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
  • They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
  • They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post

Tell your friends and colleagues about us. Thanks!
Share this

Data availability and integrity – the Apple/Microsoft version

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig – fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

Tell your friends and colleagues about us. Thanks!
Share this